HomeКомпьютерные игрыRelated VideosMore From: CrushedPixel

CrushedPixel's Magic Skull - A Minecraft Security Issue

499 ratings | 14950 views
THIS ISSUE HAS BEEN FIXED BY MOJANG IN MINECRAFT 1.8.4! I have found a security issue with custom player skulls. Thanks to QwertyuiopThePie for coming up with the idea!
Html code for embedding videos on your blog
Text Comments (330)
migdyn (1 month ago)
THERE'S NO DANGER! WHY DID THE REMOVE IT? IT'S SO COOL!
Rey Rosario (2 years ago)
it doesnt work :(
Our security is more important than decoration.
MAVWombo (2 years ago)
That's Scary
Array (2 years ago)
>Given head to CrPxl ( ͡° ͜ʖ ͡°)
Anthony Chiboucas (2 years ago)
That's not a real security hole. Doing that requires admin, and that said admin pastes the command in there. It would take an extra bit of silly to just paste a command like that without thinking about it.
clipy (3 years ago)
can you add GitHub for this code? I want to do a cool 1 command block / vanilla mod with it (1.8 - 1.8.3)
Josh Clarence Elazegui (3 years ago)
NO ANONYMOUS HAS TAUGHT HIM EVRYBODY RUN DONT USE HIS WEBSITE
CoolAsFreya (3 years ago)
How was it fixed
NoHaxJustPotato (3 years ago)
+CrushedPixel If you replay to this comment, you'll make my day!
He found this major security issue in Minecraft and shared it on internet? xD
The Sad Ghost (3 years ago)
+CrushedPixel But you have to change your skin.
+CrushedPixel Yeah, I saw that video. But the website can't make the "hidden virus/URL" thingy though, can it?
+SadGhoster87 | PokeSpriterAce I know they removed it, but I thought it was funny.
CrushedPixel (3 years ago)
+SadGhoster87 | PokeSpriterAce That's not true, I already made a replacement tool for custom player heads...
The Sad Ghost (3 years ago)
+Bedrock Elite And caused Mojang to entirely remove custom heads, yes.
Fuffles Softpaws (3 years ago)
Awesome a new thing to hack Minecraft accounts AND your PC's 
bernus PL (3 years ago)
Music name ?
400stes like :P
Cesrap (3 years ago)
+CrushedPixel Are you German? Im asking because you have a German like accent.
Sam Taen (2 years ago)
+DragonriderLP nine months is bot a year😀
Cesrap (2 years ago)
+Sam Taen Dude, that was a year ago, of course i know now that he is a German
Sam Taen (2 years ago)
I think yes hè is german
Sky (3 years ago)
Will custom skulls not work anymore because this is fixed in 1.8.4?
The Sad Ghost (3 years ago)
+Crystal MC That's exactly what happened.
The Sad Ghost (3 years ago)
"Fixed by Mojang in 1.8.4" If by fixed you mean *you made them disable custom heads entirely*!
EightBit Glasses (3 years ago)
+CrushedPixel i thought i remembered someone saying that the devs were going to find a way to allow somewhat custom player heads?
TechPanther (3 years ago)
I don't really need to tell you that this isn't a bug, and that it shouldn't be fixed. But that doesn't matter to Mojang, because they fixed it. They removed custom player heads. You scared them out of a powerfull feature. You asshole.
AVRIOX (3 years ago)
For a german your pronunciation is pretty awesome :P I am Austrian and i know how hard it can be ;)
Mewtwo God of Dolphins (3 years ago)
If I used this it would be different skulls giving them a message because it'd have a download so *Player Sees Skull it downloads a text document saying gr8 u paly minceraft m8*
Morbytogan (3 years ago)
Does this mean that we can make people connect to a different minecraft server when they look at a certain head?
The Hyper Cube (3 years ago)
so i see this is still existing...
chompy101 (3 years ago)
but... I love custom minecraft heads
Afternoongaming (3 years ago)
I don't think this is a security issue, i would call it a secret feature. It would be nice if Mojang wouldn't remove it. They should just add an option that says Custom Player heads, which enables or disables this feature/bug.
XonerqGaming (3 years ago)
...
Conga (3 years ago)
Phishing.avi
Gaming Zer0 (3 years ago)
Creepy
Crundee Is Real (3 years ago)
Mojang should add some sort of in-game head editor or some sort of command using the minecraft default color code
Crundee Is Real (3 years ago)
Dinnerbone did say he was going to fix this but it has been a year. This is very bad...
Mrjamesgaming WD (3 years ago)
so anyone could just sneak this into a only one command thing? AHHHH SAVE ME!!!
mike conz (3 years ago)
Thanks for showing us this glitch no body knew now people can abuse it because this video showed it off.
Nicolás Hurtado (3 years ago)
Why don't you tell it to Mojang?? We might loose that filter but this is even more important
SpiritClaw (3 years ago)
Shit, Aiden Pearce is here.
Geraldgalaxy (3 years ago)
EVERYONE DONT PUT THE COMMAND ITS DANGEROUS
NukeML (3 years ago)
Could the link possibly be made into a download for a virus? O_o
TechPanther (2 years ago)
+Eskimo Paladin Sure, webpages can do that. However, even if you send minecraft a webpage instead of an actual skin file, minecraft will interpret it as a skin file. It will notice that the signature is wrong, and assume the file is corrupted. No custom skin. No running a webpage behind your back.
Eskimo Paladin (3 years ago)
+NukeML There are some websites if you go on them they automatically download something right?I guess that means viruses can be downloaded using the skull in a map.
The Redstone Scientist (3 years ago)
This is pretty scary
Place Name Here (3 years ago)
The saw to keep custom skulls but remove security issues is to make it so it can't link to a random website and can only link to something like minecraft.net and then make it so you can upload thaw to minecraft.net theen u have the issue of hiding a .exe inside the .omg to fix this make it so it fully converts the image :)
Place Name Here (3 years ago)
i didnt mean .omg i meant .png can u believe i used a phone GG autospell
Chicken In A Suit (3 years ago)
+Place Name Here  .omg? is that a new file type? LOL
MCEvan99 (3 years ago)
I'm glad I made my skin... Never going to change it again! Nothing hosts it except minecraft.net.
Aaron Nuqui (3 years ago)
That's a bit ....... Creepy .......
Games and Other Things (3 years ago)
LOL You said in-security which sounded like insecurity, like the one where you are like "why am I so ugly."
Vrail Nightviper (3 years ago)
Wow... I'm not sure what to think of this.....
Redstoneologist (3 years ago)
This is SCARY because if people make adventure maps and use this magic skull in it, they can track the people who play the map and can hack them.
Rider Playz (3 years ago)
Hey
Redstoneologist (3 years ago)
Hacker!!! xD!
Goldenturkey97 (3 years ago)
neat idea man! :D
Laff70 (3 years ago)
For those worrying about getting viruses with this I think they should relax. Even if this has you download a virus Minecraft will just READ it, not EXECUTE it. After that Minecraft should just crash with no other damage being done. Viruses don't run themselves. Sure a virus could be put in an auto-run folder but Minecraft doesn't put it in one of those. It just puts it in a regular old folder. The only way a virus could get ran is if some stupid player goes into the folder and decides to run the virus. Now, why would you even think Minecraft would run the virus??? Minecraft is expecting to get a .png file, You can't EXECUTE a .png file so why the Nether would Minecraft even try?!?!?! Instead it would try to READ(not execute) it and your game would harmlessly crash.
Laff70 (2 years ago)
+Harryson Why It's ok. I'm sometimes derpy myself.
Harryson Why (2 years ago)
i think i didntt read the whole thing...which i shold have, you already explained it...im such a skrub
Laff70 (2 years ago)
+Harryson Why I know.
Harryson Why (2 years ago)
+Laff70 accually minecraft cant run png files tey only READ it...so if there was an exe binded it would be read not executed
Laff70 (3 years ago)
+Gabriel Pulido That's what I thought.
WizardXZD (3 years ago)
I just realized, wouldn't there be tons of more uses for this? Could you possibly make a chat board in vanilla minecraft, connecting skulls to a chat board?
Christian Jordan (3 years ago)
dis is scurry
BlueberryBee (3 years ago)
Great, now everyone knows how to do this.. Prepare for the ultimate server analytics website..
Laff70 (3 years ago)
Servers can get the IPs of their players too. I'm not sure that this is that bad in all honesty.
DaNikeTraptions (3 years ago)
Or I suppose you could make sure the extension is .png
DaNikeTraptions (3 years ago)
+DaNikeTraptions Or a data URI
MrIlliteracy (3 years ago)
I connected to http://crushedpixel.eu/skull/tracking_skull.php with a proxy from France. Mojang could fix this problem by instead of connecting to the website from the player's computer, they could make it send a request to access this website from a different IP and download only the image file then send it back to the player's computer. It might take an extra server but it could allow players/map-makers to use custom skulls and not have their player's IPs tracked. Alternatively they could download the image file from the site and host it on their own computers (but the 1st option sounds better). That would solve the ip and geo tracking. Thinking of how to solve file hiding... EDIT: Alternatively (again) the player skins could be hosted within the Minecraft world (locally) instead of online but does not sound very efficient.
YouTube Commenter (3 years ago)
2 things: 1, now some people might use this trick against people, and 2, I played on that seed before!
clam_shell (3 years ago)
You might want to tell them about this.
system_update (3 years ago)
Would it even be possible to fix this without removing custom heads
apc300 (3 years ago)
don't be silly..... yes if they patched this you could still use custom head generators, they'd just be coded slightly different.....
TheDubstepFox (3 years ago)
actually dude I am sending the email now
TheDubstepFox (3 years ago)
Dude I am emailing Mojang and YouTube letting them know u showed ppl how to hack into ppls computers using mine craft. Hopefully ur channel gets banned. U have 1 day to take down this video until the email sends.
Richard W (3 years ago)
+TheDubstepFox This is a troll right? Or are you the biggest idiot on the internet?
jd6 (3 years ago)
Wtf he's just reporting the bug
The Red Mushroom (3 years ago)
CrushedPixel, I have MCEdit on OS X Yosemite and it doesn't load when I start up. Can you provide a download link for a working MCEdit for OS X Yosemite, please?
It's harmless it's not like that can access your files. Also most emails have 1x1 px images to do the same
gravetender (3 years ago)
United States NSA see everything!
Sam Taen (2 years ago)
But that (i hope) are good people
This is harm less
AwkieLYT (3 years ago)
I think I'll stick with single player from now on.
Alyssa Morales (3 years ago)
+AnotherGenericGamer Downloadable adventure maps + internet connection ;)
Christian Jordan (3 years ago)
+AnotherGenericGamer lol me to
TheDestruc7i0n (3 years ago)
Not like I was using this a few months back or anything...
Laff70 (3 years ago)
+TheDestruc7i0n Didn't you post on reddit too or something???
Mojken (3 years ago)
Doesn't custom resource packs give you exactly the same amount of power?
CookiesAndMil_ (3 years ago)
I would have talked to Mojang support before uploading but good to know
Harryson Why (2 years ago)
+CookiesAndMil_ | Rebirth, Redstone & More! he did...i think
GeekIWG (3 years ago)
Really though. This is no more dangerous or a security issue than visiting ANY website. All someone can get from you is your IP. I really don't mind it. Plus the ability to have analytics for your map might be useful to map makers. Why isn't someone getting your IP a security risk? Well, your IP is given out to people every day: Whenever you visit ANY website, that website knows your IP. Whenever you download a map, your IP is revealed. Whenever you connect to any Minecraft server, your IP is sent to that server. The server admins can see it. Has any of this ever caused problems? I don't think so.
FiveTwelve (3 years ago)
So this mechanic can make it possible for minecraft to interface with a website if utilized properly. I can think of some possibilities right now.
JWire (3 years ago)
#s3cr3t
Tomáš Janoušek (3 years ago)
Lol :O !?
Lachy Fish (3 years ago)
wow thats creepy (i did it)
Pablete12 (3 years ago)
if i got it right: the text with base64 should be a .png encoded in base64, right? and minecraft would read that png, but instead, it's also allowing to grab a .png (or any other file) from a specified url? if that's the case, custom textures should't be broken, just specify a "textures" base64 encoded image, (the image itself, not a link to download it)
Michael E. (3 years ago)
+Pablete12 That would mean having the whole image in the NBT data, which means it will be pretty big, probably above the limit (if there is one) for nbt size.
PlayLikeLars (3 years ago)
But I think you could also do some cool stuff with this, or?
Äkwav . ÄKWAV (3 years ago)
Seriosly
Ozillion (3 years ago)
This feature should be replaced by just adding a skin as a part of resource pack. Defenitely not as good but it is the best substitute I can think of. Having custom heads is a very good feature and there has to be a way to use them without having a bunch of alternative accounts.
You can get infected through the executed php code, don't you? Or does you just track the IP without any php scripts?
piotrex43 (3 years ago)
It will be removed anyway... According to Dinnerbone... 11 months ago... http://www.reddit.com/r/MinecraftHeads/comments/24quwx/discussion_game_over/chatznf
Place Name Here (3 years ago)
+CrushedPixel I said how to fix this issue in the comments it's pretty simple please read it can't be bothered to type it
CrushedPixel (3 years ago)
+piotrex43 Now they have even more reason to do so ;)
Fits de Spits (3 years ago)
I already did than encoder thing
Martin Pavlas (3 years ago)
Czech ;) :D
Colorfusion1 (3 years ago)
Is this not just the information that a server can easily get about anyway? There's nothing personally identifying. I don't see an OP being able to count how many people have joined their server, or a map maker how many people have played their map, as being a vulnerability worth getting rid of custom heads for.
SapphFire (3 years ago)
Idk what to say :O :( :)
Kreeze (3 years ago)
So, why can't Mojang just make a whitelist for servers that are good for Minecraft to download from, and then not let any other servers send files to the client?
DragonGaming (3 years ago)
This is extremely dangerous if a hacker uses this he could down so many poeple
SHsuperCM_old (3 years ago)
+CrushedPixel i gave you a dislike because i dont think the player texture should be removed, alternatively i think they should limit it to a cloud system such as imgur and check is the link given is an imgur link
SHsuperCM_old (3 years ago)
+QwertyuiopThePie why? if it does that +CrushedPixel should not be able to download it from his website i think it WILL be a pretty good idea to limit the link to imgur links only
QwertyuiopThePie (3 years ago)
+shahar coolmen It already does that. Doesn't stop things like this from happening.
Fenno (3 years ago)
So in short, this is XSS in Minecraft? Scary...
Colorfusion1 (3 years ago)
+Fennoman You can have a script run on anyone's PC if they run it themselves. :runthis start %0 goto runthis There's a fork bomb. If you run that as a batch file on Windows, your computer will crash. This text is now also downloaded on your computer as a temp browser cache.  But, until you manually execute it, it's completely harmless. I could also use a steganography program to hide the data in a PNG image, but it still does nothing. Servers can already download resource packs automatically, so it's not like this feature opens up any vulnerabilities. Custom maps can already contain ANY file, even already in an executable format, which is even closer to being dangerous.
Fenno (3 years ago)
+Colorfusion1 I know how (web) servers work, still an interesting read though! I was more referring to the fact you can write a fairly simple 'script' to run on the victims PC and either gather more information or do some serious damage. The file they download has to be 'ran' to display it, which is what you describe as a request.
Colorfusion1 (3 years ago)
+Fennoman This isn't XSS. This is a server being able to get information that any server can already get. When an image is posted, on a forum or anywhere else, your computer requests the image from the server that it is hosted on. When it does this, the IP address and some of your computer info is broadcast to the site. Any site you visit, or any site hosting content embedded on a site you visit (including advertisements, and images people post on forums), can get this information. It's not secret or private to anyone, and it's kind of necessary to make the Internet work. You may have seen an image like in someone's forum signature: http://www.danasoft.com/vipersig.jpg When a request comes in for the image, Danasoft quickly creates and sends back an image with the information that came with the request.
Wout12345 (3 years ago)
Problem is, the only way I can think of to fix this would be to have all custom skulls be hosted on Mojang's servers, which of course would break a lot of previous creations as you stated, as well as forcing them to create an image hosting service which may very well grow way larger than the current skin one. I doubt they'd want to do that. Regardless though, it should definitely check what it's downloading ... only .png and .jpeg or something, not some random executable.
Laff70 (3 years ago)
+Wout12345 It shouldn't execute the file anyways so it's not that bad.
Yatin Lala (3 years ago)
Scary. So any file type can be downloaded, or only PNG files/makes PNG files?
GeckoCraft (3 years ago)
You just freaked me out...
Durchblick (3 years ago)
WTF thats creepy!
Fyn (3 years ago)
This is awesome and scary at the same time :O This is really nice for mapmakers! You could make a voting system ingame and automatically collect the results on a website! Or you could try to sell our data to some evil internet companies :D
QwertyuiopThePie (3 years ago)
+Kid Goku I dunno man, data's pretty valuable these days. Moot point now anyway.
leonissenbaum (3 years ago)
+QwertyuiopThePie Execpt the last one.
QwertyuiopThePie (3 years ago)
+Fyn Plays That's actually a pretty good use for it.
Mason Verkruisen (3 years ago)
You could not only find the country but the nearest major city of the user.
ㅤfedericorl (3 years ago)
+CrushedPixel Now you have a sub from Italy!
Poptart Overlord (3 years ago)
Question Why troll skin
Darkxellmc (3 years ago)
You need to learn better about css --'
Mint (3 years ago)
This is not even a problem if you know how this works, just collecting user ips and using geolocation to track them. Do you even know what 'Google Analytics' do?
Wout12345 (3 years ago)
+Mint The thing is that by having this in say a custom map Minecraft would force the user to connect to some server, without them knowing, every time they load the skull. That's something different than voluntarily logging onto an MC server.
theo. (3 years ago)
._.
Henning (3 years ago)
Cool idea !
Jas Tech (3 years ago)
I don't think it's a real security issue. Where do you want to put that skull? On a server? - The admins can already track your IP. On a custom map? - You can already track the IP of the visitors of the download page. So when is it a real security issue? Anyways this method is pretty cool for statistics.
hd shadows (2 years ago)
+Jascraft Medien There's this website, where it shows you some heads you can get from copy and pasting. Using the unsafe method. It's a real security issue, and sometimes it's that the map creator doesn't know about this so it's tracking them AND others that download the map.
CrushedPixel (3 years ago)
+StalePhish Yes, it's a clientside library (Yggrdrasil authentication service) that was updated globally. If the Mojang authentication servers are down, the exploit still works!
StalePhish (3 years ago)
+CrushedPixel Interesting. How does that work? Is it entirely client-side so the launcher downloads the update for clients? I'm a server owner and had I not heard about this issue on Twitter, I would still be running the 1.8.3 server JAR from February or whenever
CrushedPixel (3 years ago)
+StalePhish Well, the exploit was back-patched, meaning it's fixed for all 1.7 and 1.8 versions :)
StalePhish (3 years ago)
+Kid Goku Yes, but how many servers are running 1.8.4? 10%? 5%? My point was to not downplay the possibilities if you don't understand the full implications of the exploit.
Solar (3 years ago)
Now I'm scared... Thanks....
Jyel (3 years ago)
OMG I'M IN YOUR DATABASE OMG THAT IS CHEATING OMG !!!!11!!1! Just kidding :) That is really incredible :O

Would you like to comment?

Join YouTube for a free account, or sign in if you are already a member.